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[57] ABSTRACT 

Methods and systems are provided which control access by 
a task to an information object in a computer system. The 
task is authenticated by an authentication procedure to act on 
behalf of a user. A computer-implemented method includes 
associating an authentication grade with the authentication 
procedure, identifying at least one clearance level previously 
assigned to the user by a clearance administrator, and 
identifying at least one classification level previously 
assigned to the information object by a classification admin- 
istrator. The method then determines the access rights of the 
task with respect to the information object based at least on 
the authentication grade, the clearance level, and the clas- 
sification level. Information about the user's connection to 
the system may also be considered. The results of the 
determination are distributed to promote consistent access; 
rights throughout the system. 

40 Claims, 6 Drawing Sheets 
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COMPUTER NETWORK GRADED administrative difficulty and the risk of errors grows rapidly 

AUTHENTICATION SYSTEM AND METHOD as the number of computers involved and the number of 

security options for each computer multiply. 

FIELD OF THE INVENTION Moreover, the effective security of a system may be 

.p, _ . • , i rtrrt((1/ , f t . , . . 5 inadvertently weakened when the system is enhanced to 

The present invention helps protect the secrecy and integ- „ J _ _ . ' , 

rity of information stored on a computer system when a task allow new m f ans °f ^cess For instance if an additional 
acting on behalf of a user seeks access to the information. * e, 7 er 18 P laced s f em : *"™» 

More particularly, the invention helps provide consistent ^, flnes >* own ac «f c ° ntrols * a I sed ° n , »» ' ocal 
control over access to information on a multi-server network in fllters ' software and hardware. Unless detailed preventive 

c ^ . a , x t , - fnrmnt - 10 steps are taken, different servers can provide the same user 

in view of a users clearance level(s), the informations .*T ' r ^ ^_ . _ 

classification level, a network-wide policy definition, and an 2?* f^rent degrees of access to the same information. 

authentication grade which reflects the credibility of the 71,15 , leads a , best t0 ^mKtrat.ve complexity, and ,n the 

procedure used to authenticate a task that seeks to access the worsl case allows ™ a *h°"Eed ««■ to sensitive mforma- 

information. - 10n * 

" Similar problems arise when two networks are initially 

TECHNICAL BACKGROUND OF THE connected. One current approach requires that everyone 

INVENTION using the combined system conform with the strictest 

authentication procedure previously in use on either system. 

"Authentication" involves verifying the correctness of But this is not always feasible, and the resulting new barriers 

security characteristics to prevent unauthorized changes in 20 may unnecessarily restrict access to information that is not 

the secrecy and/or integrity of information. A variety of especially sensitive. Under another approach the combined 

authentication procedures and security policies are used to system uses the weakest authentication procedure that was 

help control access to information stored on networks and previously in use on either system. This does not impose 

other computer systems. Many sources of information about unnecessary new barriers, but it may place sensitive infor- 

computer system security are available. One source is U.S. 25 ma tion at risk. 

Pat. No. 5,349,642, Method and Apparatus for Authentica- ^ it would be an advancement in the art to provide a 

tion of Client Server Communication, which is incorporated nove , system and method for providing a consistent access 

herein by reference. pohcy {n a netW0 rk. 

The available approaches for protecting the security of It woukJ be an additional advancement to provide such a 

information fall generally into two groups, depending on the system and met hod which combines useful aspects of the 

discretion given or denied to routine users of the computer DAC and MAC approaches to security with information 

system. Perhaps the most common of these two approaches a5out the authentication procedures(s) used on the network, 

to security is known generally as "discretionary access Such a mfhod ^ ffl ^ disdosed and 

control or "DAC DAC is based mainly on determining a herein 

user's identity and any relevant groups to which the user 35 

belongs. DAC may be implemented using access control BRIEF SUMMARY OF THE INVENTION 

lists, capability lists, owner-group-world flags, cleartext ^ t invention ides methods afld mg fof 

names, passwords, biometnc scans, or other means. maQaging ^ access Qf information objects by a lask oper . 

DAC is discretionary in that the access rights given to a 4Q ating on 5ehalf of a user of a networ k or other computer 

user may be transferred by that user to other users. DAC system. In one embodiment, the task is first authenticated by 

allows authorized users to change access rights, to grant a n authentication procedure which has an associated authen- 

group membership to other users, or to Otherwise transfer tication grade. Information is also gathered about the user's 

rights directly or indirectly. clearance level(s), the information's classification level, and 

By contrast, approaches which are known generally as 45 the user's connection to the system. The invention combines 

"mandatory access control" or "MAC do not allow such the novel approach of grading authentication procedures 

transfers or changes in access rights. MAC limits access with known but useful aspects of the DAC approach to 

based on the user's clearance level(s) and on the sensitivity security (such as access control lists) and other known but 

of the information, which is reflected in the information's useful aspects of the MAC approach (such as clearance and 

classification level. Clearance and classification levels are 50 classification levels). 

determined by one or more system administrators or other The read- write access rights of the task with respect to the 

security personnel and are not subject to routine change by information object are based at least on the authentication 

users. MAC is one of the requirements for systems at the Bl, grade) the clearance level(s), and the classification level. The 

B2, B3, and Al security levels set forth in the United States authentication grade may be represented in an authentication 

Department of Defense Trusted Computer System Evalua- 55 grade i abe i w hich is an instance of a more general label and 

tion Criteria (known as the "Orange Book"). ^ st0 red with a security policy on a server computer. The 

Both DAC and MAC approaches are sometimes enhanced classification level may be similarly represented in a clas- 

to reflect knowledge about the user's connection to the sification label which is also an instance of the general label; 

system. For instance, tables or filters may be used to further the classification label is stored with the information object 

restrict access based on the network file system setup, on 60 or otherwise associated with that object. The clearance 

whether access is attempted with World Wide Web or File level(s) may likewise be similarly represented in one or 

Transfer Protocol software, on UNIX rhosts lists, on the port more clearance labels, each of which is an instance of the 

number, the device used, the LAN segment, the packet general label and is stored with or otherwise associated with 

addresses, and other characteristics of the connection. the task and/or user. 

r Ihe wide variety of identification, authentication, and 65 The effective clearance label is generated based on the 

security techniques and equipment in use creates problems clearance label(s) and the authentication grade label. The 

for network and other system administrators. The degree of effective clearance label may be part of a credential which 
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may also contain a digital user signature of the data con- tation: directory service database partitions; file system 

tained therein. The effective clearance label (but not the volumes; hierarchical database components; Novell Direc- 

signature) may be distributed to promote consistency of tory Services components such as containers, leaves, 

access rights throughout the system. objects, and attributes; relational database components such 

The task may be a "trusted task" which is assigned a 5 as tables; file system directories; and files, 
nontrivial effective clearance range defined by two task Computer networks which may be configured according 
effective clearance labels having different values. Or the task to the invention include local networks, wide area networks, 
may be assigned a single effective clearance label which and/or the Internet. "Internet" as used herein includes varia- 
defines a trivial effective clearance range. In order for a task tions such as a private Internet, a secure Internet, a value- 
to be "trusted," multiple clearance levels must be associated 10 added network, a virtual private network, or an intranet. The 
with the corresponding user and/or with the task itself, with computers connected by the network may be workstations, 
an indication that more than one level may be assumed at a laptop computers, disconnectable mobile computers, file 
time. servers, or a combination thereof. The network may include 

The access rights of the task with respect to the informa- one or more LANs, wide-area networks, Internet servers and 
tion object are determined by comparing the task effective 15 clients, intranet servers and clients, or a combination thereof, 
clearance label(s) with the information object label in view One of the many computer networks suited for use with 
of a policy, such as a policy that implements the familiar the present invention is indicated generally at 10 in FIG. 1. 
Biba interpretation of the Bell-LaPadula model. Comparison In one embodiment, the network 10 includes Novell Net- 
may include DAC constraints and/or determining whether Ware® network operating system software (NETWARE is a 
levels dominate one another. 20 registered trademark of Novell, Inc.). In alternative 

Read and write access may be granted or allowed if and embodiments, the network includes NetWare Connect 
only if a particular authentication procedure is used by the Services, VINES, Windows NT, Windows 95, LAN 
task. Alternatively, all authentication procedures may result Manager, or LANtastic network operating system software 
in equal access rights. In the general case, however, use of and /° r an implementation of a distributed hierarchical par- 
some authentication procedures will provide greater access titioned object database according to the X.500 protocol 
rights to at least some information objects than the rights (VINES is a trademark of Banyan Systems; NT, WINDOWS 
provided when the task uses other authentication proce- 95, and LAN MANAGER are trademarks of Microsoft 
Jj ures Corporation; LANTASTIC is a trademark of Artisoft). The 

~ « c jj. r*i_ * • *■ network 10 may include a local area network 12 which is 

Other features and advantages of the present invention 30 u * lvvul ^*" mfl J mw " . 

■it u f ii 7««t «u rt f rt n™™ connectable to other networks 14, including other LANs or 

will become more fully apparent through the following . > & 

... j rr => o portions of the Internet or an intranet, through a gateway or 

^ similar mechanism. 

BRIEF DESCRIPTION OF THE DRAWINGS The network 10 includes several file servers 16 that are 

connected by network signal lines 18 to one or more network 

To illustrate the manner in which the advantages and clients 20. The file servers 16 and network clients 20 may be 

features of the invention are obtained, a more particular configured by those of skill in the art in a wide variety of 

description of the invention will be given with reference to ways t0 ope rate according to the present invention. The file 

the attached drawings. These drawings only illustrate servers 16 may be configured as Internet servers, as intranet 

selected aspects of the invention and thus do not limit the servers, as directory service providers or name servers, as 

invention's scope. In the drawings: software component servers, or as a combination thereof. 

FIG. 1 is a diagram illustrating a computer network which The servers 16 may be uniprocessor or multiprocessor 

is one of many computer systems suitable for use with the machines. The servers 16 and clients 20 each include an 

present invention. addressable storage medium such as random access memory 

FIG. 2 is a flowchart illustrating a method for configuring 45 and/or a non-volatile storage medium such as a magnetic or 

part or all of a computer system according to the present optical disk. 

invention. Suitable network clients 20 include, without limitation, 

FIG. 3 is a flowchart illustrating a method for enforcing personal computers 22, laptops 24, workstations 26, and 

security restrictions in part or all of a computer system dumb terminals. The signal lines 18 may include twisted 

configured according to the present invention. so P^ T * coaxial, or optical fiber cables, telephone lines, 

FIG. 4 is a diagram illustrating a partially ordered col- satellites, microwave relays, modulated AC power lines, and 

lection of authentication grades according to the present other data transmission "wires" town to those of skill m the 

art. In addition to the network client computers 20, a printer 

invention. -« , ^ «• , i f , % 

_ . . .„ . . c , 28 and an array of disks 30 are also attached to the network 

FIG. 5 is a diagram illustrating an extension of the in A m \, fl „ J fflm ,t 0 r m „ f fi,„,h' ft „ k^i, « , ,i,- 0 „f in 

.? . , .... . « 10. A given computer may function both as a client 20 and 

v arti all v ordered collection in FIG. 4 to include an additional DD ° 1/; I. c . , 

paiuau.y uiu^u wiivviiuu ag fl server ^5. tms ma y occurj f or instance, on computers 

authentication grade. running Microsoft Windows NT software. Although particu- 

FIG. 6 is a diagram illustrating one of the suitable formats lar individual and network computer systems and compo- 

of a general label structure according to the present inven- nents are shown , tnose of ^ m ^ the art a pp rec iate that 

uon * 60 the present invention also works with a variety of other 

networks and computers. 

DETAILED DESCRIPTION OF THE fll f\ , tU f . 4 

PREFERRED EMBODIMENTS f ^ file fl server * 16 ™* the " etwork c 20 are capable 

of using floppy drives, tape drives, optical drives or other 

The present invention relates to a method and system for means to read a storage medium 32. A suitable storage 

controlling access to information objects which are stored 65 medium 32 includes a magnetic, optical, or other computer- 

on, or accessible through, a computer network or other readable storage device having a specific physical substrate 

computer system. Information objects include, without limi- configuration. Suitable storage devices include floppy disks, 
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hard disks, tape, CD-ROMs, PROMs, RAM, and other the less than/greater than/incomparable relationship of any 

computer system storage devices. The substrate configura- two authentication grades requires reconfiguring the security 

tion represents data and instructions which cause the com- of the system, is not routine, and can be performed only by 

puter system to operate in a specific and predefined manner authorized system security personnel such as the network 

as described herein. Thus, the medium 32 tangibly embodies 5 administrator. In such cases, changing the partial ordering 

a program, functions, and/or instructions that are executable imposed or the authentication grades may require changing 

by the file servers 16 and/or network client computers 20 to at least one previously assigned classification level; classi- 

perfprm information object access management steps of the fication levels are discussed below, 

present invention substantially as described herein. piG. 5 illustrates the partially ordered authentication 

FIG. 2 illustrates a method of the present invention for 10 grades of FIG. 4 after an additional authentication procedure 

configuring a computer system such as the network 10, or a has been associated with its own additional authentication 

portion of such a system. During an associating step 34, one grade 70; the partial ordering has been extended to include 

or more authentication procedures used with the system 10 the additional authentication grade 70. Such extensions are 

(FIG. 1) are associated with one or more authentication preferably accomplished only by authorized security 

grades and a partial ordering is imposed on the authentica- is personnel, but may be routine for such personnel and do not 

tion grades. Partial ordering is discussed below in connec- require denial of access to the system 10 while the extension 

tion with FIGS. 4 and 5. is being made. 

The associating step 34 is adaptable to meet the needs of Returning to FIG. 2, during a clearance label assigning 

different systems 10. According to one method of the step 36, the clearance level(s) of the user(s) and/or task(s) 

invention the associating step 34 associates a plurality of 20 are identified and embodied in a suitable data structure. A 

authentication procedures with the same authentication user and/or task may nave a single clearance level, a range 

grade. Under another method, each of at least two authen- 0 f clearance levels, or even a list of clearance level ranges, 

tication procedures is associated with its own distinct The clearance level(s) may be associated with a task rather 

authentication grade. than a user if the task does not operate directly on behalf of 

Various criteria may be used when deciding which grade 25 any user. Clearance levels may be defined by a clearance 
to associate with a given authentication procedure. If one administrator according to familiar criteria, such as those 
authentication procedure has stronger cryptography than employed under mandatory access control. The defined 
another authentication procedure, the associating step 34 clearance level(s) are then embodied in a label or other form 
may associate a higher authentication grade with the authen- and stored with or otherwise associated with the user or task 
tication procedure that has stronger cryptography. If one 30 in question. One suitable label format is discussed below in 
authentication procedure reviews a user identity certificate connection with FIG. 6, and those of skill in the art will 
and another authentication procedure does not, the associ- readily create or identify other suitable embodiments, 
ating step 34 may associate a higher authentication grade During a classification label assigning step 38, the clas- 
with the authentication procedure that reviews the user 35 sification level of the information object to which access is 
identity certificate. If one authentication procedure requires sought is identified and similarly embodied in a suitable data 
a hardware token and another authentication procedure does structure. The same label format may be used to embody 
not, the associating step 34 may associate a higher authen- clearance labels and classification labels, or different for- 
mation grade with the authentication procedure that requires ma ts may be used. Classification label values are preferably 
the hardware token. If one authentication procedure verifies n ot changed once assigned to an information object; persis- 
that trusted hardware and/or trusted software is in use and tent object label values provide the system with a quality 
another authentication procedure does not, the associating known as the "tranquility property" which is generally 
step 34 may associate a higher authentication grade with the desirable. Classification levels may be defined and assigned 
authentication procedure that verifies such use. Other crite- by a classification administrator according to familiar 
ria familiar to those of skill in the art may also be used. ^ criteria, such as those employed under mandatory access 

FIGS. 4 and 5 illustrate results of the associating step 34 control, 
in one embodiment of the invention. Authentication grades The classification administrator and the clearance admin- 
are represented by partially ordered lattice elements 60 istrator may, of course, exercise their rights and duties under 
through 70. A "partial ordering" is an ordering of authenti- . other titles, such as "network administrator," "security 
cation grades in which each grace is either less than, greater 5Q officer," or the like. The classification administrator and the 
than, or not comparable to, each other grade. clearance administrator may be the same person, two dif- 

It may be convenient to have a highest grade which is ferent persons, or a larger group of persons, depending on 

greater than every other grade, and a similar lowest grade who ultimately exercises the rights and duties of those 

which is less than every other grade. One or two internal administrative roles. 

system grades with no associated real-world authentication 55 FIG. 3 illustrates a method of the invention for controlling 
procedure may be added if necessary to occupy the highest information access after the system 10 has been configured, 
and lowest positions in the partial ordering. In FIGS. 4 and During an initiating step 40, a task is initiated through 
5, the System High grade 66 and the System Low grade 68 familiar sleps such ^ random access memory allocation and 
are such internal grades. In other embodiments, no System instruction pointer initialization. A "task" includes any one 
High grade and/or no System Low grade are employed. 60 or more of the following: a process servicing a connection 
A "total ordering" is a special case of a partial ordering, request for a client, a server-based process such as a Net- 
in which each grade is either less than or greater than each Ware Loadable Module ("NLM") process, another system 
other grade. "Partial ordering" thus includes orderings in process, an application program, a daemon, a thread, or any 
which at least two grades are not comparable, and also other unit of executable software. Tasks may reside on, and 
includes total orderings. 65 the invention may be used on, client-server networks, peer- 
In presently preferred embodiments of the invention, the to -peer networks, local area networks, wide area networks, 
partial ordering is unchangeable, in the sense that altering intranets, value-added networks, global networks, other 
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networks, mainframes, embedded computer systems, real- 
time control systems, standalone computer systems, or other 
computer systems. 

The task is authenticated during an authenticating step 42. 
A given task may operate directly on behalf of a particular s 
user, in which case "authenticating the task" involves deter- 
mining the identity of the user for whom the task operates. 
A "user" is a human. A given task may also operate directly 
on behalf of some component of the computer system, and 
thus operate indirectly on behalf of users of the system. In 1Q 
this latter case, "authenticating the task" means determining 
the identity of the present task, and possibly also determin- 
ing the identity of one or more ancestor tasks which created 
or initiated one another in a chain or web leading to the 
present task. 

The task is authenticated using either a familiar authen- 
tication procedure or one which is not yet known but 
provides a means for verifying the identity of a task or the 
identity of a user on whose behalf a task is initiated. Many 
authentication procedures are commercially available, 
including those used by Novell's NetWare Directory Ser- 20 
vices software, by Novell's NetWare network operating 
system, by the Netscape Secure Sockets Layer software, by 
Lightweight Directory Access Protocol software, by 
password-based login software, by cleartext name login 
software, and by public and/or private key encryption soft- 25 
ware. 

During reading steps 44 and 46, software and/or computer 
hardware embodying the invention reads the labels contain- 
ing the authentication grades and clearance level(s) of the 3Q 
authentication procedure and the user(s) on behalf of whom 
the task operates. A user and/or task may have a single 
clearance level, a range of clearance levels, or even a list of 
clearance level ranges. Alternatively, the clearance level(s) 
of the task itself are identified if the task does not operate 35 
directly on behalf of any user. 

During an optional connection characteristic identifying 
step 48, one or more characteristics of the user's connection 
to the system 10 (FIG. 1) are identified. Characteristics of 
the connection may include any or all of the following: 4Q 
socket identity; port identity; physical device identity, such 
as LAN identity, source address, router identity, or routing 
path; and connection characteristics listed in the Technical 
Background or elsewhere herein. 

Although the steps 42 through 48 are shown in a particular 45 
order for clarity of illustration, it will be appreciated that 
their actual order of execution may vary. In general, any two 
steps of any method of the invention may be reordered or 
performed concurrently unless one of the steps provides 
information or otherwise prepares the way for the other step, 50 
which then necessarily follows the preparing step. 

During an effective clearance label assigning step 50, one 
or more labels embodying the effective clearance of the task 
(or user) is assigned, stored with the task, or otherwise 
associated with the task or user in question. The effective 55 
clearance is based on the clearance assigned during the step 
36 and the authentication grade associated with the authen- 
tication procedure used daring the step 42. 

The assigning step 50 may take the authentication grade 
into account by using the minimum of the authentication eo 
grade and a clearance level in the clearance label as an 
effective clearance level. Alternatively, the effective clear- 
ance level(s) may be a predetermined amount less than the 
assigned clearance level(s) (step 3E), or may be obtained by 
table lookup as a function of the authentication grade. 55 

Conditions involving the other available information, 
including without limitation the connection characteristics, 
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may also be used in determining the effective clearance 
level(s). For instance, an effective clearance level may be set 
to a hypothetical Level Seven if the authentication grade is 
less than Novell Directory Service authentication, if the 
user's identified clearance level(s) are above Level Seven, or 
if the user is connected to the network 10 through a phone 
line that does not appear on a list of secure lines. 

To promote consistency of access rights throughout the 
network 10 (FIG. 1), an effective clearance label containing 
the results of the assigning step 50 is preferably distributed 
to other servers. 16 (FIG. 1) during a distributing step 52. 
Distribution is accomplished using connections, packets, 
and/or other familiar data transmission means. 

The distributed effective clearance may be structured in 
various ways, but must specify at least the current access 
rights of the task. For instance, the effective clearance may 
include the current clearance label of a regular (single-level) 
task, or the current nontrivial clearance range of a trusted 
task. 

Unlike conventional credentials or clearances, an effec- 
tive clearance label according to the present invention 
reflects the authentication grade of the authentication pro- 
cedure that was used to authenticate the task in question. 
Uniformity of access rights may not be possible with a given 
network, but the distributing step 52 may also be used to 
distribute the effective clearance label to a subset of servers 
in the- system 10. 

During a determining step 54, the access rights of the task 
and/or user with respect to a particular information object or 
class of information objects is determined. This determina- 
tion depends on at least the results of the classification label 
assigning step 38 and the effective clearance label assigning 
step 50. If the optional connection characteristic identifying 
step 48 is performed, the results of that step 48 may also 
affect the determining step 54. In one embodiment, the 
determining step 54 determines both read access rights and 
write access rights; in other embodiments, only read rights 
or write rights are determined. 

The determining step 54 proceeds according to a policy. 
One suitable policy implements the familiar Bell-LaPadula 
model, which may be summarized by the rules "No read up" 
and "No write down." That is, the task cannot read from 
information objects that are more sensitive, and cannot write 
to objects that are less sensitive, than the sensitivity level 
(effective clearance level(s)) of the task itself. Sensitivity 
levels of tasks and objects conventionally correspond to 
clearance levels and classification levels, respectively. 
According to the present invention, the sensitivity level of a 
task also reflects the authentication grade of the authentica- 
tion procedure by which the task entered the system 10 (FIG. 
1), with higher grades potentially granting or allowing 
higher sensitivity levels and vice versa. 

A policy may also, or in the alternative, implement the 
familiar Biba interpretation of the Bell-LaPadula model, 
which may be summarized by the rules "No read down" and 
"No write up." That is, the task cannot read from informa- 
tion objects that are less sensitive, and cannot write to 
objects that are more sensitive, than the sensitivity level of 
the task itself. The Bell-LaPadula model is directed to 
protecting the secrecy of information, while the Biba inter- 
pretation is directed to protecting the integrity of informa- 
tion. MAC-based policies can be used in conjunction with 
DAC constraints to determine access rights. 

In one embodiment, a directory services schema global 
area is used to hold policy definitions, but those of skill will 
recognize that other approaches are also possible under the 
invention. 
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Integrity and secrecy sensitivities may be embodied in an 
instance of a general label. One suitable format 80 for a 
general label is illustrated in FIG. 6. Those of skill in the art 
will appreciate that many other general label data structure 
formats, and other label data structure formats specifically 
for clearance or authentication grade or classification or 
effective clearance or combinations thereof, may also be 
employed according to the present invention. Corresponding 
human-readable labels are preferably also provided in a 
system configured according to the invention. 

The general label structure 80 shown in FIG. 6 contains 
thirty-two bytes of data or reserved space. This format 
allows a total of 256 secrecy levels, 256 integrity levels, 96 
secrecy categories, and 64 integrity categories. In addition, 
65,536 singleton secrecy categories and 65,536 singleton 
integrity categories can be defined. Singleton categories 
cannot be used in conjunction with each other, but may be 
used with other categories. Categories indicate a "need to 
know." Categories are either the same or not comparable. 
Any two category sets may be equal, or disjoint, or one may 
be a proper subset of the other. 

Bytes zero and one of the general label 80 are indicated 
at 82 in FIG. 6. Byte zero specifies the general label's type, 
which indicates whether a label value has been assigned to 
an object or task or authentication grade bearing an instance 
of the label 80 or otherwise associated with such an instance. 
Unmounted volumes and label instances apparently contain- 
ing corrupted data may also be indicated. Byte one indicates 
the size of a label instance for internal memory management 
purposes. 

One of the four bytes indicated at 84 indicates the secrecy 
level, and another indicates the integrity level. The other two 
bytes are reserved. Bytes 6 and 7 are also reserved, as 
indicated at 86 in FIG. 6. Two of the bytes indicated at 88 
specify the singleton secrecy categories and the other two 
bytes specify the singleton integrity categories. Four of the 
bytes indicated at 90 specify additional secrecy categories 
and four of the bytes indicated at 92 specify additional 
integrity categories. The other bytes indicated at 90 and 92 
are reserved. 

Returning to FIG. 3, when evaluating labels to determine 
whether to deny a requested access, the determining step 54 
preferably considers the relationship between the specific 
label instances involved. For instance, it may depend in 
whole or in part on whether one label dominates another 
label, that is, whether the level(s) embodied in one label 
dominate the level(s) embodied in the other label. 

One policy allows a given task to read a given information 
object only if the secrecy portion of the task's label domi- 
nates the secrecy portion of the object's label and the 
integrity portion of the task's label is dominated by the 
integrity portion of the object's label. The policy allows a 
given task to write a given information object only if the 
secrecy portion of the task's label is equal to the secrecy 
portion of the object's label and the integrity portion of the 
task's label is equal to the integrity portion of the object's 
label. Other policies require other relationships. 

A particular user or task may be marked as trusted by 
being assigned two different labels which define an effective 
clearance range. One policy allows a trusted task to read a 
given information object only if the maximum secrecy 
portion of the trusted task's labels dominates the secrecy 
portion of the object's label, and the minimum integrity 
portion of the trusted task's labels is dominated by the 
integrity portion of the object's label. The policy allows a 
trusted task to write a given information object only if the 
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secrecy portion of the object's label is contained within the 
secrecy portion of the trusted task's range and the integrity 
portion of the object's label is contained within the integrity 
portion of the trusted task's range. Other policies require 
5 other relationships. 

In summary, the present invention provides a novel 
approach of associating authentication grades with the basic 
aspects of mandatory access control (clearance and classi- 
fication level enforcement) and which allows the use of 
10 access control lists and other discretionary access controls 
within secure confines. The invention also allows system 
administrators to implement a consistent system-wide policy 
by distributing effective clearance labels and policy defini- 
tions. Policies may conform with familiar models such as 
Bell-LaPadula and its Biba interpretation, and/or other 
15 requirements such as DAC constraints. Trusted tasks may be 
given broader access than other tasks. Perhaps most 
importantly, the authentication procedures used to access the 
system can be graded and the grades are taken into consid- 
eration to modify or override conventional mandatory or 
20 discretionary access control features. 

Although particular methods embodying the present 
invention are expressly illustrated and described herein, it 
will be appreciated that apparatus *and article embodiments 
may be formed according to methods of the present inven- 
25 tion. Unless otherwise expressly indicated, the description 
herein of methods of the present invention therefore extends 
to corresponding apparatus and articles, and the description 
of apparatus and articles of the present invention extends 
likewise to corresponding methods. 

The invention may be embodied in other specific forms 
without departing from its essential characteristics. The 
described embodiments are to be considered in all respects 
only as illustrative and not restrictive. Any explanations 
35 provided herein of the scientific principles employed in the 
present invention are illustrative only. The scope of the 
invention is, therefore, indicated by the appended claims 
rather than by the foregoing description. All changes which 
come within the meaning and range of equivalency of the 
4Q claims are to be embraced within their scope. 

What is claimed and desired to be secured by patent is: 
1. A computer- implemented method for controlling access 
by a task to an information object in a computer network, the 
task having been previously authenticated by an authenti- 
45 cation procedure to act on behalf of a user, the computer- 
implemented method comprising the steps of: 

associating an authentication grade with the authentica- 
tion procedure; and 
determining the access rights of the task with respect to 
50 the information object based at least on the authenti- 
cation grade; and then 
distributing an effective clearance label, after which the 
effective clearance label resides on a plurality of server 
computers in the computer network. 
55 2. The method of claim 1, wherein each of at least two 
authentication procedures is associated with its own distinct 
authentication grade, and a partial ordering is imposed on 
the authentication grades. 
3. A computer- implemented method for controlling access 
6 q by a task to an information object in a computer network, the 
task having been previously authenticated by a first authen- 
tication procedure to act on behalf of a user, the computer- 
implemented method comprising the steps of: 

associating a first authentication grade with the first 
65 authentication procedure; 

associating a second authentication grade with a second 
authentication procedure; and 
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determining the access rights of the task with respect to 
the information object based at least on the first authen- 
tication grade, wherein one of the authentication pro- 
cedures has stronger cryptography than the other 
authentication procedure, and of the two procedures, 5 
the associating steps associate a higher authentication 
grade with the authentication procedure that has stron- 
ger cryptography. 

4. A computer- implemented method for controlling access 
by a task to an information object in a computer network, the 10 
task having been previously authenticated by an authenti- 
cation procedure to act on behalf of a user, the computer- 
implemented method comprising the steps of: 

associating an authentication grade with the authentica- 
tion procedure; is 

identifying at least one clearance level previously 
assigned to the user by a clearance administrator; 

identifying at least one classification level previously 
assigned to the information object by a classification 
administrator; and 20 

determining the access rights of the task with respect to 
the information object based at least on the authenti- 
cation grade, the clearance level and the classification 
level, 

wherein each of at least two authentication procedures is 25 
associated with its own distinct authentication grade, a 
partial ordering is imposed on the authentication 
grades, and the tranquility property is maintained over 
the partial ordering in the computer network. 

5. The method of claim 4, wherein the associating step 30 
associates a plurality of authentication procedures with the 
same authentication grade. 

6. The method of claim 4, wherein an additional authen- 
tication procedure is associated with its own additional 
authentication grade, and the partial ordering is extended to 35 
include the additional authentication grade. 

7. A computer- implemented method for controlling access 
by a task to an information object in a computer network the 
task having been previously authenticated by an authenti- 
cation procedure to act on behalf of a user, the computer- 40 
implemented method comprising the steps of: 

associating an authentication grade with the authentica- 
tion procedure; 

identifying at least one clearance level previously 45 
assigned to the user by a clearance administrator; 

identifying at least one classification level previously 
assigned to the information object by a classification 
administrator; and 

determining the access rights of the task with respect to 50 
the information object based at least on the authenti- 
cation grade, the clearance level, and the classification 
level, 

wherein each of at least two authentication procedures is 
associated with its own distinct authentication grade, 5s 
one authentication procedure has stronger cryptogra- 
phy than another authentication procedure, and of the 
two procedures, the associating step associates a higher 
authentication grade with the authentication procedure 
that has stronger cryptography. 60 

8. A computer-implemented method for controlling access 
by a task to an information object in a computer network, the 
task having been previously authenticated by an authenti- 
cation procedure to act on behalf of a user, the computer- 
implemented method comprising the steps of: $5 

associating an authentication grade with the authentica- 
tion procedure; 
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identifying at least one clearance level previously 
assigned to the user by a clearance administrator; 

identifying at least one classification level previously 
assigned to the information object by a classification 
administrator; and 

determining the access rights of the task with respect to 
the information object based at least on the authenti- 
cation grade, the clearance level, and the classification 
level, 

wherein each of at least two authentication procedures is 
associated with its own distinct authentication grade, 
one authentication procedure reviews a user identity 
certificate and another authentication procedure does 
not, and of the two procedures, the associating step 
associates a higher authentication grade with the 
authentication procedure that reviews the user identity 
, certificate. 

9. A computer-implemented method for controlling access 
by a task to an information object in a computer network, the 
task having been previously authenticated by an authenti- 
cation procedure to act on behalf of a user, the computer- 
implemented method comprising the steps of: 

associating an authentication grade with the authentica- 
. lion procedure; 

identifying at least one clearance level previously 
assigned to the user by a clearance administrator; 

identifying at least one classification level previously 
assigned to the information object by a classification 
administrator; and 

determining the access rights of the task with respect to 
the information object based at least on the authenti- 
cation grade, the clearance level, and the classification 
level, 

wherein each of at least two authentication procedures is 
associated with its own distinct authentication grade, 
one authentication procedure requires a hardware token 
and another authentication procedure does not, and of 
the two procedures, the associating step associates a 
higher authentication grade with the authentication 
procedure that requires the hardware token. 

10. A computer-implemented method for controlling 
access by a task to an information object in a computer 
network, the task having been previously authenticated by 
an authentication procedure to act on behalf of a user, the 
computer-implemented method comprising the steps of: 

associating an authentication grade with the authentica- 
tion procedure; 

identifying at least one clearance level previously 
assigned to the user by a clearance administrator; 

identifying at least one classification level previously 
assigned to the information object by a classification 
administrator; and 

determining the access rights of the task with respect to 
the information object based at least on the authenti- 
cation grade, the clearance level, and the classification 
level, 

wherein each of at least two authentication procedures is 
associated with its own distinct authentication grade, 
one authentication procedure verifies that trusted hard- 
ware and/or trusted software is in use and another 
authentication procedure does not, and of the two 
procedures, the associating step associates a higher 
authentication grade with the authentication procedure 
that verifies such use. 

11. A computer-implemented method for controlling 
access by a task to an information object in a computer 
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network, the task having been previously authenticated by 
an authentication procedure to act on behalf of a user, the 
computer-implemented method comprising the steps of: 
associating an authentication grade with the authentica- 
tion procedure; 5 
identifying at least one clearance level previously 

assigned to the user by a clearance administrator; 
identifying at least one classification level previously 
assigned to the information object by a classification 1Q 
administrator; and 
determining the access rights of the task with respect to 
the information object based at least on the authenti- 
cation grade, the clearance level, and the classification 
level, 15 
wherein one of the authentication grades is associated 
with a directory service authentication procedure. 

12. A computer-implemented method for controlling 
access by a task to an information object in a computer 
network the task having been previously authenticated by an 20 
authentication procedure to act on behalf of a user, the 
computer-implemented method comprising the steps of: 

associating an authentication grade with the authentica- 
tion procedure; 

identifying at least one clearance level previously 25 
assigned to the user by a clearance administrator; 

identifying at least one classification level previously 
assigned to the information object by a classification 
administrator; and 

determining the access rights of the task with respect to 
the information object based at least on the authenti- 
cation grade, the clearance level, and the classification 
level, 

wherein one of the authentication grades is associated 35 
with a Secure Sockets Layer authentication procedure. 

13. A computer-implemented method for controlling 
access by a task to an information object in a computer 
network the task having been previously authenticated by an 
authentication procedure to act on behalf of a user, the 49 
computer-implemented method comprising the steps of: 

associating an authentication grade with the authentica- 
tion procedure; 

identifying at least one clearance level previously 
assigned to the user by a clearance administrator; 45 

identifying at least one classification level previously 
assigned to the information object by a classification 
administrator; and 

determining the access rights of the task with respect to 
the information object based at least on the authenti- 50 
cation grade, the clearance level, and the classification 
level, 

wherein one of the authentication grades is associated 
with a cleartext name authentication procedure. 55 

14. A computer-implemented method for controlling 
access by a task to an information object in a computer 
network, the task having been previously authenticated by 
an authentication procedure to act on behalf of a user, the 
computer-implemented method comprising the steps of: 6Q 

associating an authentication grade with the authentica- 
tion procedure; 

identifying at least one clearance level previously 
assigned to the user by a clearance administrator; 

identifying at least one classification level previously 65 
assigned to the information object by a classification 
administrator; and 



determining the access rights of the task with respect to 
the information object based at least on the authenti- 
cation grade, the clearance level, and the classification 
level, 

wherein the task is connected to the computer network by 
a connection, the method further comprises the 
computer-implemented step of identifying at least one 
characteristic of the connection, and the determining 
step determines the access rights of the task with 
respect to the information object based at least on the 
authentication grade, the clearance level, the classifi- 
cation level, and at least one characteristic of the 
connection. 

15. A computer-implemented method for controlling 
access by a task to an information object in a computer 
network, the task having been previously authenticated by 
an authentication procedure to act on behalf of a user, the 
computer-implemented method comprising the steps of: 

associating an authentication grade with the authentica- 
tion procedure; 

identifying at least one clearance level previously 
assigned to the user by a clearance administrator; 

identifying at least one classification level previously 
assigned to the information object by a classification 
administrator; and 

determining the access rights of the task with respect to 
the information object based at least on the authenti- 
cation grade, the clearance level, and the classification 
level, and 

marking the task as a trusted task by assigning a nontrivial 
clearance range to the task, 

16. The method of claim 4, wherein the clearance level 
may not be changed without authorization from the clear- 
ance administrator and the classification level may not be 
changed without authorization from the classification 
administrator. 

17. A computer-implemented method for controlling 
access by a task to an information object in a computer 
network the task having been previously authenticated by an 
authentication procedure to act on behalf of a user, the 
computer-implemented method comprising the steps of: 

associating an authentication grade with the authentica- 
tion procedure; 

identifying at least one clearance level previously 
assigned to the user by a clearance administrator; 

identifying at least one classification level previously 
assigned to the information object by a classification 
administrator; and 

determining the access rights of the task with respect to 
the information object based at least on the authenti- 
cation grade, the clearance level, and the classification 
level, 

wherein the clearance level and the classification level are 
each stored as an instance of the same label structure. 

18. A computer-implemented method for controlling 
access by a task to an information object in a computer 
network, the task having been previously authenticated by 
an authentication procedure to act on behalf of a user, the 
computer-implemented method comprising the steps of: 

associating an authentication grade with the authentica- 
tion procedure; 

identifying at least one clearance level previously 
assigned to the user by a clearance administrator; 

identifying at least one classification level previously 
assigned to the information object by a classification 
administrator; and 
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determining the access rights of the task with respect to 
the information object based at least on the authenti- 
cation grade, the clearance level, and the classification 
level, 

wherein the computer system includes a computer 5 
network, the determining step is followed by the 
computer-implemented step of distributing an effective 
clearance label, after which the effective clearance 
label resides on a plurality of server computers in the 
computer network. 10 

19. A computer-implemented method for controlling 
access by a task to an information object in a computer 
network, the task having been previously authenticated by 
an authentication procedure to act on behalf of a user, the 
computer-implemented method comprising the steps of: 35 

associating an authentication grade with the authentica- 
tion procedure; 

identifying at least one clearance level previously 
assigned to the user by a clearance administrator; ^ 

identifying at least one classification level previously 
assigned to the information object by a classification 
administrator; and 

determining the access rights of the task with respect to 
the information object based at least on the authenti- 2 5 
cation grade, the clearance level, and the classification 
level, 

wherein the effective clearance label specifies the current 
nontrivial clearance range of the task. 

20. A computer-implemented method for controlling 30 
access by a task to an information object in a computer 
network, the task having been previously authenticated by 

an authentication procedure to act on behalf of a user, the 
computer-implemented method comprising the steps of: 

associating an authentication grade with the authentica- 35 
tion procedure; 

identifying at least one clearance level previously 
assigned to the user by a clearance administrator; 

identifying at least one classification level previously 
assigned to the information object by a classification 40 
administrator; and 

determining the access rights of the task with respect to 
the information object based at least on the authenti- 
cation grade, the clearance level, and the classification 
level, 

wherein a plurality of server computers in the computer 
network are configured such that the user has the same 
access rights to the information object on each of those 
server computers. 50 

21. The method of claim 4, wherein the determined read 
access rights conform with the Bell-LaPadula model. 

22. The method of claim 4, wherein the determined write 
access rights conform with the Biba interpretation of the 
Bell-LaPadula model. 55 

23. The method of claim 4, wherein the authentication 
grade is partially ordered with respect to at least one other 
authentication grade, and each authentication grade specifies 
the highest level any task authenticated by the procedure 
associated with the grade may read and also specifies the 60 
lowest level any task authenticated by the procedure asso- 
ciated with the grade may write. 

24. A computer network comprising: 
at least one information object; 

authentication means for authenticating a task to execute 65 
on at least a portion of the computer network on behalf 
of a user; 
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execution means capable of executing the task, including 
memory and at least one processor; 

association means for associating an authentication grade 
with the authentication means; 

clearance identification means for identifying at least one 
clearance level previously assigned to the user by a 
clearance administrator; 

classification identification means for identifying at least 
one classification level previously assigned to the infor- 
mation object by a classification administrator; and 

determination means for determining the access rights of 
the task with respect to the information object based at 
least on the authentication grade, the clearance level, 
and the classification level, 

wherein each of at least two authentication means is 
associated with its own distinct authentication grade, a 
partial ordering is imposed on the authentication grades 
by the association means, the network comprises an 
additional authentication means, the association means 
associates the additional authentication means with its 
own additional authentication grade, and the partial 
ordering is extended to include the additional authen- 
tication grade. 

25. A computer network comprising: 
at least one information object; 

authentication means for authenticating a task to execute 
on at least a portion of the computer network on behalf 
of a user; 

execution means capable of executing the task, including 
memory and at least one processor; 

association means for associating an authentication grade 
with the authentication means; 

clearance identification means for identifying at least one 
clearance level previously assigned to the user by a 
clearance administrator; 

classification identification means for identifying at least 
one classification level previously assigned to the infor- 
mation object by a classification administrator; and 

determination means for determining the access rights of 
the task with respect to the information object based at 
least on the authentication grade, the clearance level, 
and the classification level, 

wherein each of at least two authentication means is 
associated with its own distinct authentication grade, 
one authentication means uses stronger cryptography 
than another authentication means, and the association 
means associates a higher authentication grade with the 
authentication means that uses stronger cryptography. 

26. A computer network comprising: 
at least one information object; 

authentication means for authenticating a task to execute 
on at least a portion of the computer network on behalf 
of a user; 

execution means capable of executing the task, including 
memory and at least one processor; 

association means for associating an authentication grade 
with the authentication means; 

clearance identification means for identifying at least one 
clearance level previously assigned to the user by a 
clearance administrator; 

classification identification means for identifying at least 
one classification level previously assigned to the infor- 
mation object by a classification administrator; and 

determination means for determining the access rights of 
the task with respect to the information object based at 
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least on the authentication grade, the clearance level, 
and the classification level, 
wherein each of at least two authentication means is 
associated with its own distinct authentication grade 
one authentication means verifies that trusted hardware 5 
and/or trusted software is in use and another authenti- 
cation means does not, and the association means 
associates a higher authentication grade with the 
authentication means that verifies such use. 

27. A computer network comprising: 10 
at least one information object; 

authentication means for authenticating a task to execute 
on at least a portion of the computer network on behalf 
of a user; 

execution means capable of executing the task, including 15 
memory and at least one processor; 

association means for associating an authentication grade 
with the authentication means; 

clearance identification means for identifying at least one 
clearance level previously assigned to the user by a 20 
clearance administrator; 

classification identification means for identifying at least 
one classification level previously assigned to the infor- 
mation object by a classification administrator; and 25 

determination means for determining the access rights of 
the task with respect to the information object based at 
least on the authentication grade, the clearance level, 
and the classification level, 

wherein the authentication means includes means for 30 
performing a network operating system authentication 
procedure. 

28. A computer network comprising: 
at least one information object; 

authentication means for authenticating a task to execute 35 
on at least a portion of the computer network on behalf 
of a user; 

execution means capable of executing the task, including 
memory and at least one processor; 

association means for associating an authentication grade 40 
with the authentication means; 

clearance identification means for identifying at least one 
clearance level previously assigned to the user by a 
clearance administrator; 

classification identification means for identifying at least 45 
one classification level previously assigned to the infor- 
mation object by a classification administrator; and 

determination means for determining the access rights of 
the task with respect to the information object based at 
least on the authentication grade, the clearance level, 50 
and the classification level, 

wherein the authentication means includes means for 
performing a Secure Sockets Layer authentication pro- 
cedure. 

29. A computer network comprising: 
at least one information object; 

authentication means for authenticating a task to execute 
on at least a portion of the computer network on behalf 
of a user; 60 

execution means capable of executing the task, including 
memory and at least one processor; 

association means for associating an authentication grade 
with the authentication means; 

clearance identification means for identifying at least one 65 
clearance level previously assigned to the user by a 
clearance administrator; 
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classification identification means for identifying at least 
one classification level previously assigned to the infor- 
mation object by a classification administrator; and 
determination means for determining the access rights of 
the task with respect to the information object based at 
least on the authentication grade, the clearance level, 
and the classification level, 
wherein the task is connected to the computer network by 
a connection, the computer network farther comprises 
means for identifying at least one characteristic of the 
connection, and the determination means determines 
the access rights of the task with respect to the infor- 
mation object based at least on the authentication 
grade, the clearance level, the classification level, and 
at least one characteristic of the connection. 

30. A computer network comprising: 
at least one information object; 

authentication means for authenticating a task to execute 
on at least a portion of the computer network on behalf 
of a user; 

execution means capable of executing the task, including 
memory and at least one processor; 

association means for associating an authentication grade 
with the authentication means; 

clearance identification means for identifying at least one 
clearance level previously assigned to the user by a 
clearance administrator; 

classification identification means for identifying at least 
one classification level previously assigned to the infor- 
mation object by a classification administrator; and 

determination means for determining the access rights of 
the task with respect to the information object based at 
least on the authentication grade, the clearance level, 
and the classification level, 

further comprising means for marking the task as a trusted 
task by assigning a nontrivial effective clearance range 
to the task. 

31. A computer network comprising: 
at least one information object; 

authentication means for authenticating a task to execute 
on at least a portion of the computer network on behalf 
of a user; 

execution means capable of executing the task, including 
memory and at least one processor; 

association means for associating an authentication grade 
with the authentication means; 

clearance identification means for identifying at least one 
clearance level previously assigned to the user by a 
clearance administrator; 

classification identification means for identifying at least 
one classification level previously assigned to the infor- 
mation object by a classification administrator; 

determination means for determining the access rights of 
the task with respect to the information object based at 
least on the authentication grade, the clearance level, 
and the classification level; and 

distribution means for distributing an effective clearance 
label of the task so that the effective clearance label 
resides on a plurality of server computers in the com- 
puter network. 

32. The computer network of claim 24, wherein the 
determination means determines read access rights accord- 
ing to the Bell-LaPadula Model. 

33. The computer network of claim 24, wherein the 
determination means determines write access rights accord- 
ing to the Biba interpretation of the Bell-LaPadula Model. 
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34.. A computer storage medium having a configuration 
that represents data and instructions which will cause at least 
a portion of a computer network to perform method steps for 
controlling access by a task to an information object in the 
computer network after task has been authenticated by an 5 
authentication procedure to act on behalf of a user, the 
method steps comprising the steps of: 

associating an authentication grade with the authentica- 
tion procedure; 
identifying at least one clearance level previously 10 

assigned to the user by a clearance administrator; 
identifying at least one classification level previously 
assigned to the information object by a classification 
administrator; and 
determining the access rights of the task with respect to 
the information object based at least on the authenti- 
cation grade, the clearance level, and the classification 
level, 

wherein the task is connected to the computer network by 20 
a connection, the method further comprises the 
computer-implemented step of identifying at least one 
characteristic of the connection, and the determining 
step determines the access rights of the task with 
respect to the information object based at least on the 25 
authentication grade, the clearance level, the classifi- 
cation level and at least one characteristic of the 
connection. 

35. The computer storage medium of claim 34, wherein 
each of at least two authentication procedures is associated 30 
with its own distinct authentication grade, and a partial 
ordering is imposed on the authentication grades. 

36. A computer storage medium having a configuration 
that represents data and instructions which will cause at least 

a portion of a computer network to perform method steps for 35 
controlling access by a task to an information object in the 
computer network after task has been authenticated by an 
authentication procedure to act on behalf of a user, the 
method steps comprising the steps of: 

associating an authentication grade with the authentica- 40 

tion procedure; 
identifying at least one clearance level previously 

assigned to the user by a clearance administrator; 
identifying at least one classification level previously 45 
assigned to the information object by a classification 
administrator; and 
determining the access rights of the task with respect to 
the information object based at least on the authenti- 
cation grade, the clearance level, and the classification 50 
level, 

wherein each of at least two authentication procedures is 
associated with its own distinct authentication grade, a 
partial ordering is imposed on the authentication 
grades, one authentication procedure has stronger cryp- 55 
tography than another authentication procedure, and of 
the two procedures, the associating step associates a 
higher authentication grade with the authentication 
procedure that has stronger cryptography. 



37. A computer storage medium having a configuration 
that represents data and instructions which will cause at least 
a portion of a computer network to perform method steps for 
controlling access by a task to an information object in the 
computer network after task has been authenticated by an 
authentication procedure to act on behalf of a user, the 
method steps comprising the steps of: 

associating an authentication grade with the authentica- 
tion procedure, 

identifying at least one clearance level previously 
assigned to the user by a clearance administrator; 

identifying at least one classification level previously 
assigned to the information object by a classification 
administrator; and 

determining the access rights of the task with respect to 
the information object based at least on the authenti- 
cation grade, the clearance level, and the classification 
level, 

wherein each of at least two authentication procedures is 
associated with its own distinct authentication grade, a 
partial ordering is imposed on the authentication 
grades, and one of the authentication grades is associ- 
ated with at least one of a directory service authenti- 
cation procedure and a network operating system 
authentication procedure. 

38. A computer storage medium having a configuration 
that represents data and instructions which will cause at least 
a portion of a computer network to perform method steps for 
controlling access by a task to an information object in the 
computer network after task has been authenticated by an 
authentication procedure to act on behalf of a user, the 
method steps comprising the steps of: 

associating an authentication grade with the authentica- 
tion procedure; • 

identifying at least one clearance level previously 
assigned to the user by a clearance administrator; 

identifying at least one classification level previously 
assigned to the information object by a classification 
administrator; and 

determining the access rights of the task with respect to 
the information object based at least on the authenti- 
cation grade, the clearance level, and the classification 
level, 

wherein the determining step is followed by the 
computer-implemented step of distributing an effective 
clearance label, after which the effective clearance 
label resides on a plurality of server computers in the 
computer network. 

39. The computer storage medium of claim 34, wherein 
the determined read access rights conform with the Bell- 
LaPadula Model. 

40. The computer storage medium of claim 34, wherein 
the determined write access rights conform with the Biba 
interpretation of the Bell-LaPadula model. 
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